From b1961e14ea6e3bcdc80ca6e02e80646280b3a86a Mon Sep 17 00:00:00 2001
From: Alfredo Moralejo <amoralej@redhat.com>
Date: Wed, 26 Jul 2017 18:51:54 +0200
Subject: [PATCH] Use SELinuxfs to check selinux status

Currently, the cleanup script is using existence of
semanage binary to check if selinux is enabled. However
this is misleading and can lead to problems when selinux
is disabled in a system where the binary exist.

This patch changes the detection logic to use /sys/fs/selinux
directory which is a in-memory filesystem created only when
selinux is really enabled.

Change-Id: I008f8bbc9c8414ce948c601e3907e27764e15a52
Related-Bug: 1706386
---
 .../elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
index c4b1e1eb..a179ae9c 100755
--- a/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
+++ b/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
@@ -45,7 +45,7 @@ fi
 # for whatever policy is in the host kernel.  We will run under
 # "runcon" to specifically allow this
 _runcon=""
-if [[ -x /usr/sbin/semanage ]]; then
+if [[ -d /sys/fs/selinux ]]; then
     sudo semanage permissive -a setfiles_mac_t
     _runcon="runcon -t setfiles_mac_t -- "
 fi